TIBCO MFT Response to Struts Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

TIBCO MFT Response to Struts Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

book

Article ID: KB0074148

calendar_today

Updated On:

Products Versions
TIBCO Managed File Transfer Command Center 8.3.0 and 8.2.1

Description

A Struts vulnerability has been discovered: 
 
CVE-2020-17530 Detail
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Environment

All supported environments

Resolution

MFT Releases that can be upgraded:
Struts has provided an update that resolves this issue: Struts 2.5.26.  
MFT Releases 8.2.1 and 8.3.0 use Struts 2.5 and can be upgraded with Struts 2.5.26 downloads that resolve this vulnerability.  
 
MFT Releases that cannot be upgraded:
These releases use Struts 2.3.  Struts 2.3 is no longer supported; there is no fix for Struts 2.3.
MFT 8.0.x
MFT 8.1.x
MFT 8.2.0
There is no upgrade path from Struts 2.3 to Struts 2.5 for releases MFT 8.2.0 and lower. 
If you are running 8.0.x or 8.1.x, you should install MFT 8.2.1 and the most current 8.2.1 hotfix.
If you are running 8.2.0, you should install the SPMFT821 Service Pack and the most current 8.2.1 hotfix.
Once you are at the 8.2.1 or higher release  level, you can follow the instructions to manually upgrade the Struts files.  
 
 
Instructions to manually upgrade Struts files for MFT 8.2.1 and MFT 8.3.0
The struts upgrade files can be downloaded from https://struts.apache.org/download.cgi
Download the Struts Full Distribution: struts-2.5.26-all.zip 
 
Extract these files from file: struts-2.5.26-all.zip
freemarker-2.3.30.jar
ognl-3.1.28.jar
struts2-core-2.5.26.jar
struts2-tiles-plugin-2.5.26.jar
 
Make a backup of this directory:
<MFT-Install>/server/webapps/cfcc/WEB-INF/lib
 
Copy the  four extracted files to this directory:
<MFT-Install>/server/webapps/cfcc/WEB-INF/lib 
 
Delete the original versions of the four files.  The original version may be different depending on the version and hotfix level.  

Restart the MFT server

Note, hotfixes 8.3.0 HF-003 and 8.2.1 HF-005 include the Struts upgrade and can be applied to resolve the vulnerability. These fixes were not GA at the time this article was published.

Issue/Introduction

TIBCO MFT Response to Struts CVE-2020-17530
Powered by Wolken Software